Every once in a while you run across some information that should not be accessible from the internet, and SCADA systems are by far no exception. Researchers from Free University Berlin are working on a stunning project of mapping internet accessible SCADA Systems worldwide using Shodan and a custom search program.
And… Their map includes sites that contain known vulnerabilities!
According to the project website SCADACS.org, their Industrial Risk Assessment Map (IRAM) “visualizes the approximate geospatial locations of ICS/SCADA and BMS network interfaces found on the Internet. Currently, we use Google Earth and Google Maps for this purpose.”
The custom map allows a user to “browse for ICS/SCADA systems by location and by keyword, and to drill down on information the map backend gathers on these systems from open sources. One such source is the Shodan computer search engine. Another source of information is the alpha version of our own crawler which covers services the Shodan engine does not cover.”
And as you can see from their video above, this map information backend includes a list of known vulnerabilities. Yes the video shows two locations that contain vulnerabilities, one in Austria and another in the US. But before you get too excited, these locations have been tagged as no longer publicly accessible.
So, how big a problem is internet connected SCADA systems, how many are there in Europe?
Oh, a few:
Okay, how about America?
With all the hype about a “Cyber Pearl Harbor” (when Chinese hackers take over our country, kills our power and takes away FaceBook), that doesn’t really look so bad.
But there is a catch.
According to an exceptional article titled “The Great Cyberscare: Why the Pentagon is razzmatazzing you about those big bad Chinese hackers” by Dr. Thomas Rid (Reader in War Studies at King’s College London), the map only displays German manufactured systems:
“The United States looks as if it has the measles. But note that the map is incomplete: It is biased towards German products, the project’s founder told me. If that flaw can be fixed, the United States and other countries would look as bloody red as Germany does already.”
So there is definitely a lot of work to do in securing America’s public systems. Some good news is that the Pentagon plans to create 100 defensive cyber teams by 2015. Of the 100, thirteen teams will focus on defending our national infrastructure:
“National mission forces will employ 13 teams focused on securing U.S. private networks powering critical infrastructure such as transportation systems and other vital industries.“
Hopefully this will be done sooner, rather than later.
A sanitized public Google Maps and Google Earth version of the IRAM map can be located at SCADACS website.
5 thoughts on “Worldwide Map of Internet Connected SCADA Systems”
Um….the number of critical systems (SCADA/control systems) that are directly connected to the Internet within the U.S. is much larger than the picture shows above. Myself and several other researchers here in the U.S. have developed our own version starting back in mid-2008, and didn’t begin ingesting data until mid-April 2012.
Dubbed Project SHINE (SHINE means “SHodan INtelligence Extraction”), this project does something similar with searchable criteria of over 650 terms and contextual data points, and more added weekly. For the U.S. alone, we estimate that number to be much larger than what DHS has identified, and have still yet to find a baseline from which we can begin finalizing our analysis.
The numbers are staggering…so far…worldwide…the numbers have exceeded 650,000 devices (to date, as of Wednesday, March 20th).
At some point in time, we plan on sharing our analysis data with the SCADA/control systems security communities, and invite your readership to join the SCADASEC mailing list for more information. SCADASEC is the world’s largest open forum discussion area specifically created for discussing SCADA and control systems security topics. Joining the list is free and publicly available.
For more information, visit our web site at: http://www.scadasec.com
Thank you so much for the information! I highly recommend my readers visit your website which seems to contain a wealth of security information for multiple fields.
Scada systems shouldnt be connected to the internet. Unless part of the business intension is to have them hacked and out of action. Wake up
I completely agree!